feat(teachLink_web): security-no-dependency-vulnerability-scanning-in

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+    groups:
+      production-dependencies:
+        dependency-type: production
+      development-dependencies:
+        dependency-type: development

.github/workflows/ci.yml

@@ -7,6 +7,39 @@ on:
       - develop
 
 jobs:
+  security-audit:
+    runs-on: ubuntu-latest
+    name: Dependency Security Audit
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Generate audit report
+        run: pnpm audit --json > audit-report.json || true
+
+      - name: Run security audit (block on high/critical)
+        run: pnpm audit --audit-level=high
+
+      - name: Upload audit report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-audit-report
+          path: audit-report.json
+          retention-days: 30
+
   quality-checks:
     runs-on: ubuntu-latest
     name: Type Check, Lint & Validation

CONTRIBUTING.md

@@ -20,7 +20,7 @@ Your PR will be blocked from merging unless it meets the following:
 
 1. **CI must pass**
 
-   - Required checks: `type-check`, `lint`, `build`, `test` (GitHub Actions: **Frontend CI**)
+   - Required checks: `type-check`, `lint`, `build`, `test`, `security-audit` (GitHub Actions: **Branch Protection**)
 
 2. **Approvals required**
 
@@ -44,6 +44,7 @@ Your PR will be blocked from merging unless it meets the following:
 - `pnpm run lint`
 - `pnpm run test`
 - `pnpm run build`
+- `pnpm audit --audit-level=high`
 
 ## Git hooks
 
@@ -79,3 +80,47 @@ Use the PR template (auto-applied). Ensure it includes:
 ## Security
 
 Do not commit secrets. Use `.env.local` for local environment variables.
+
+### Dependency vulnerability audit
+
+CI runs a `security-audit` job on every pull request to `main` and `develop`. It executes:
+
+```bash
+pnpm audit --audit-level=high
+```
+
+**Policy:**
+
+- **High** and **critical** severity vulnerabilities **fail** the pipeline and block merge.
+- **Low** and **moderate** findings are reported but do not block merge.
+- The full JSON audit report is uploaded as a CI artifact (`dependency-audit-report`) on every run.
+
+Run the same check locally before pushing:
+
+```bash
+pnpm audit --audit-level=high
+```
+
+### Triaging and suppressing accepted risks
+
+If a high or critical CVE cannot be fixed immediately (no patch available, breaking upgrade, or false positive), you may suppress it after maintainer review:
+
+1. Confirm the risk is understood and document the rationale in the PR.
+2. Add the CVE or GHSA identifier to `pnpm.auditConfig` in `package.json`:
+
+```json
+"pnpm": {
+  "auditConfig": {
+    "ignoreCves": ["CVE-YYYY-NNNNN"],
+    "ignoreGhsas": ["GHSA-xxxx-xxxx-xxxx"]
+  }
+}
+```
+
+3. Open a follow-up issue to remove the suppression when a fix is available.
+
+Suppressions require explicit PR approval — do not add ignored CVEs without maintainer sign-off.
+
+### Automated dependency updates
+
+[Dependabot](https://docs.github.com/en/code-security/dependabot) (`.github/dependabot.yml`) opens weekly PRs for npm dependency updates. Review and merge these promptly to keep the dependency tree current.

next-env.d.ts

@@ -1,6 +1,7 @@
 /// <reference types="next" />
 /// <reference types="next/image-types/global" />
 /// <reference types="next/navigation-types/compat/navigation" />
+/// <reference path="./.next/types/routes.d.ts" />
 
 // NOTE: This file should not be edited
 // see https://nextjs.org/docs/app/api-reference/config/typescript for more information.

package.json

@@ -65,7 +65,7 @@
     "idb": "^8.0.0",
     "jsqr": "^1.4.0",
     "lucide-react": "^0.462.0",
-    "next": "15.3.1",
+    "next": "15.5.19",
     "next-themes": "^0.4.6",
     "pg": "^8.20.0",
     "pino": "^9.5.0",
@@ -120,9 +120,9 @@
     "@typescript-eslint/eslint-plugin": "^8.59.1",
     "@typescript-eslint/parser": "^8.59.1",
     "@vitejs/plugin-react-swc": "^3.10.2",
-    "@vitest/coverage-v8": "^2.1.9",
+    "@vitest/coverage-v8": "^3.2.6",
     "eslint": "^9",
-    "eslint-config-next": "15.3.1",
+    "eslint-config-next": "15.5.19",
     "eslint-config-prettier": "^8.10.2",
     "eslint-plugin-prettier": "^4.2.1",
     "eslint-plugin-unused-imports": "^4.4.1",
@@ -135,14 +135,21 @@
     "tailwindcss": "^4.0.0",
     "tsx": "^4.20.3",
     "typescript": "^5.8.3",
-    "vite": "^5.4.19",
-    "vitest": "^2.1.9"
+    "vite": "^6.4.3",
+    "vitest": "^3.2.6"
   },
   "pnpm": {
+    "auditConfig": {
+      "ignoreCves": [],
+      "ignoreGhsas": []
+    },
     "overrides": {
       "react": "^18.3.1",
       "react-dom": "^18.3.1",
-      "next": "15.3.1",
+      "next": "15.5.19",
+      "vite": ">=6.4.3",
+      "vitest": ">=3.2.6",
+      "ws": ">=8.21.0",
       "typescript": "^5.8.3",
       "eslint": "^9",
       "prettier": "^2.8.8"